You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by kr...@apache.org on 2019/02/26 19:53:35 UTC
[lucene-solr] branch branch_8x updated: SOLR-9762: Remove the
workaround implemented for HADOOP-13346 (Kevin Risden)
This is an automated email from the ASF dual-hosted git repository.
krisden pushed a commit to branch branch_8x
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git
The following commit(s) were added to refs/heads/branch_8x by this push:
new 71d8aef SOLR-9762: Remove the workaround implemented for HADOOP-13346 (Kevin Risden)
71d8aef is described below
commit 71d8aefc0c6a77025faeaa3b3e6bc6f29f895d72
Author: Kevin Risden <kr...@apache.org>
AuthorDate: Sat Feb 23 10:18:28 2019 -0500
SOLR-9762: Remove the workaround implemented for HADOOP-13346 (Kevin Risden)
Signed-off-by: Kevin Risden <kr...@apache.org>
---
solr/CHANGES.txt | 2 ++
.../org/apache/solr/security/HadoopAuthPlugin.java | 24 +++++-----------
.../org/apache/solr/security/KerberosPlugin.java | 32 ++++++----------------
3 files changed, 17 insertions(+), 41 deletions(-)
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 51e916e..0ff3d34 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -91,6 +91,8 @@ Other Changes
* SOLR-13074: MoveReplicaHDFSTest leaks threads, falls into an endless loop, logging like crazy (Kevin Risden)
+* SOLR-9762: Remove the workaround implemented for HADOOP-13346 (Kevin Risden)
+
================== 8.0.0 ==================
Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.
diff --git a/solr/core/src/java/org/apache/solr/security/HadoopAuthPlugin.java b/solr/core/src/java/org/apache/solr/security/HadoopAuthPlugin.java
index cce4a89..6881d8a 100644
--- a/solr/core/src/java/org/apache/solr/security/HadoopAuthPlugin.java
+++ b/solr/core/src/java/org/apache/solr/security/HadoopAuthPlugin.java
@@ -20,7 +20,6 @@ import static org.apache.solr.security.RequestContinuesRecorderAuthenticationHan
import static org.apache.solr.security.HadoopAuthFilter.DELEGATION_TOKEN_ZK_CLIENT;
import java.io.IOException;
-import java.io.PrintWriter;
import java.lang.invoke.MethodHandles;
import java.util.Collection;
import java.util.Collections;
@@ -37,15 +36,15 @@ import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpServletResponseWrapper;
+import com.fasterxml.jackson.core.JsonGenerator;
import org.apache.commons.collections.iterators.IteratorEnumeration;
import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
+import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler;
import org.apache.solr.client.solrj.impl.Krb5HttpClientBuilder;
import org.apache.solr.cloud.ZkController;
import org.apache.solr.common.SolrException;
import org.apache.solr.common.SolrException.ErrorCode;
-import org.apache.solr.common.util.SuppressForbidden;
import org.apache.solr.core.CoreContainer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -189,6 +188,10 @@ public class HadoopAuthPlugin extends AuthenticationPlugin {
// Configure proxy user settings.
params.putAll(proxyUserConfigs);
+ // Needed to work around HADOOP-13346
+ params.put(DelegationTokenAuthenticationHandler.JSON_MAPPER_PREFIX + JsonGenerator.Feature.AUTO_CLOSE_TARGET,
+ "false");
+
final ServletContext servletContext = new AttributeOnlyServletContext();
log.info("Params: "+params);
@@ -244,20 +247,7 @@ public class HadoopAuthPlugin extends AuthenticationPlugin {
log.info("-------------------------------");
}
- // Workaround until HADOOP-13346 is fixed.
- HttpServletResponse rspCloseShield = new HttpServletResponseWrapper(frsp) {
- @SuppressForbidden(reason = "Hadoop DelegationTokenAuthenticationFilter uses response writer, this" +
- "is providing a CloseShield on top of that")
- @Override
- public PrintWriter getWriter() throws IOException {
- final PrintWriter pw = new PrintWriterWrapper(frsp.getWriter()) {
- @Override
- public void close() {};
- };
- return pw;
- }
- };
- authFilter.doFilter(request, rspCloseShield, filterChain);
+ authFilter.doFilter(request, frsp, filterChain);
switch (frsp.getStatus()) {
case HttpServletResponse.SC_UNAUTHORIZED:
diff --git a/solr/core/src/java/org/apache/solr/security/KerberosPlugin.java b/solr/core/src/java/org/apache/solr/security/KerberosPlugin.java
index 87f37a8..8bc5625 100644
--- a/solr/core/src/java/org/apache/solr/security/KerberosPlugin.java
+++ b/solr/core/src/java/org/apache/solr/security/KerberosPlugin.java
@@ -16,8 +16,6 @@
*/
package org.apache.solr.security;
-import java.io.IOException;
-import java.io.PrintWriter;
import java.lang.invoke.MethodHandles;
import java.util.Enumeration;
import java.util.HashMap;
@@ -30,11 +28,11 @@ import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpServletResponseWrapper;
+import com.fasterxml.jackson.core.JsonGenerator;
import com.google.common.annotations.VisibleForTesting;
import org.apache.commons.collections.iterators.IteratorEnumeration;
+import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler;
import org.apache.solr.client.solrj.impl.Http2SolrClient;
import org.apache.solr.client.solrj.impl.Krb5HttpClientBuilder;
import org.apache.solr.client.solrj.impl.SolrHttpClientBuilder;
@@ -42,7 +40,6 @@ import org.apache.solr.cloud.ZkController;
import org.apache.solr.common.SolrException;
import org.apache.solr.common.SolrException.ErrorCode;
import org.apache.solr.common.cloud.SecurityAwareZkACLProvider;
-import org.apache.solr.common.util.SuppressForbidden;
import org.apache.solr.core.CoreContainer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -166,6 +163,11 @@ public class KerberosPlugin extends AuthenticationPlugin implements HttpClientBu
params.put(key, System.getProperty(key));
}
}
+
+ // Needed to work around HADOOP-13346
+ params.put(DelegationTokenAuthenticationHandler.JSON_MAPPER_PREFIX + JsonGenerator.Feature.AUTO_CLOSE_TARGET,
+ "false");
+
final ServletContext servletContext = new AttributeOnlyServletContext();
if (controller != null) {
servletContext.setAttribute(DELEGATION_TOKEN_ZK_CLIENT, controller.getZkClient());
@@ -223,25 +225,7 @@ public class KerberosPlugin extends AuthenticationPlugin implements HttpClientBu
public boolean doAuthenticate(ServletRequest req, ServletResponse rsp,
FilterChain chain) throws Exception {
log.debug("Request to authenticate using kerberos: "+req);
-
- final HttpServletResponse frsp = (HttpServletResponse)rsp;
-
- // kerberosFilter may close the stream and write to closed streams,
- // see HADOOP-13346. To work around, pass a PrintWriter that ignores
- // closes
- HttpServletResponse rspCloseShield = new HttpServletResponseWrapper(frsp) {
- @SuppressForbidden(reason = "Hadoop DelegationTokenAuthenticationFilter uses response writer, this" +
- "is providing a CloseShield on top of that")
- @Override
- public PrintWriter getWriter() throws IOException {
- final PrintWriter pw = new PrintWriterWrapper(frsp.getWriter()) {
- @Override
- public void close() {};
- };
- return pw;
- }
- };
- kerberosFilter.doFilter(req, rspCloseShield, chain);
+ kerberosFilter.doFilter(req, rsp, chain);
String requestContinuesAttr = (String)req.getAttribute(RequestContinuesRecorderAuthenticationHandler.REQUEST_CONTINUES_ATTR);
if (requestContinuesAttr == null) {
log.warn("Could not find " + RequestContinuesRecorderAuthenticationHandler.REQUEST_CONTINUES_ATTR);